The US Computer Emergency Readiness Team has issued an alert on network traffic encrypted using an RSA-based SSL certificate, known as DROWN, (https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack). This alert documents a vulnerability in the RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected, allowing a remote attacker to obtain the private key of a server supporting SSLv2.

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) is a server-side vulnerability and does not affect clients.

IMPACT ASSESSMENT

Progress DataDirect has review our products and determined that all of the on-premise ODBC drivers, OpenAccess SDK, SequeLink and DataDirect Cloud products are NOT affected by DROWN.

The on-premise ODBC drivers and DataDirect Cloud products operate as clients. OpenAccess SDK and SequeLink has SSLv2 protocol disabled in all their SSL/TLS servers. According to OpenSSL “users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they’ve not done so already.”

ADDITIONAL SECURITY ADVISORIES

Along with DROWN, the following security advisories were announced for March 1, 2016. These vulnerabilities have little or no impact on the on-premise ODBC driver, OpenAccess SDK, SequeLink and DataDirect Cloud products.